it appears that PAM is suffering from some fundamental architecture problems with regards to authentication beyound the normal UID/GID credentials. namely, some institutions rely on services such as kerberos whose authentication methods are not easily performed using the PAM interface. this is truly a shame because you are now requiring people to roll their own methods for authentication instead of being able to use a PAM module.
And your suggested alternative is?
xdm's architecture unfortunately does not lend itself to proper pamification. For Red Hat Linux 6.1, I'm happy to report that it looks like we'll be using gdm 2.0, which is the first *dm to do proper PAM authentication, to the best of my knowledge. If there are bugs in that support, we certainly want to know about it. I'm going to mark this as "fixed in the next release"; if gdm 2 as I expect ships in 6.1 does not work for you with that module, please re-open this bug report with details. If you have reports of other programs not working with the kerberos PAM modules you are using, please open seperate bug reports against each of those programs so that we will not miss some of them. Please note that some programs are constrained by protocol (such as IMAP) and so cannot be made to take full advantage of PAM's flexibility. Sorry, but our hands are tied in those cases.
I'm the person who maintains the (modified Red Hat) Linux distribution for CMU ECE. Kerberos is actually the least of the problems with PAM --- and xdm is not the only program which has problems. Kerberos-related PAM issues easily worked around by adding a chown() in the appropriate PAM module after acquiring tickets and storing them in the ticket cache. The real problem is that the Kerberos tickets are then used to acquire AFS tokens (modified Kerberos service tickets), which are stuffed into a kernel-side cache called a PAG so the AFS client filesystem code can authenticate to the AFS servers. The difficulty is that when many programs invoke the PAM session stack, they are running in the server's context; while for Kerberos this means that files created by the PAM module have the wrong owner, for AFS it means that multiple connections will share the same PAG and therefore the same AFS permissions. I should note that this is also not limited to Red Hat's products: xscreensaver does some things wrong when AFS PAM modules are involved, and Sun's CDE has to be patched to work with AFS PAM modules. It seems to be a general problem with knowing when to invoke PAM module stacks. This issue caused several departments at CMU to avoid Red Hat 6.0.